בס״ד

Cloudflare Access — kiosk bypass setup

docs/CF_ACCESS_KIOSK_BYPASS.md · last changed (pre-VM history) · rendered from GitHub master

Cloudflare Access — kiosk bypass setup

Why this exists

The whole portal at ops.hookstreetservices.com is gated by Cloudflare Access. That's correct for everything Sam + Mildred + Chanie use, but WRONG for the iPad family kiosk — kids should never have to log in, and the iPad shouldn't be tied to one Google account.

The fix: create a separate Bypass policy on the kiosk path only. Anyone hitting ops.hookstreetservices.com/family-kiosk.html (and any kiosk assets) skips auth entirely. Everything else stays gated.

5-minute setup

  1. dash.cloudflare.com → pick the account that owns hookstreetservices.comZero Trust (or it'll redirect to one.dash.cloudflare.com).
  2. Access → Applications → find ops.hookstreetservices.com → click it.
  3. Top tabs → Policies → click Add a policy.
  4. Fill in:
    - Policy name: Family kiosk - bypass
    - Action: Bypass (very important — not Allow, not Block, Bypass)
    - Configure rules: add Include → Everyone (or leave empty for "any user")
  5. Save.
  6. Back on the application page → Path tab. Confirm the policy is path-scoped to /family-kiosk.html. If the app is currently set to protect the entire host, you need to either:
    - (Easier) Add a SECOND Access application that scopes ONLY to /family-kiosk.html with the Bypass policy. The original app stays as-is for everything else.
    - OR (cleaner) On the existing application, edit the Application Domain to be more specific, and add a new application for the kiosk path.

Easier path = make a new Access application specifically for ops.hookstreetservices.com/family-kiosk.html with the Bypass policy. Cloudflare evaluates path-specific policies before host-wide ones, so the kiosk URL gets bypassed and the rest of the portal stays gated.

What the result feels like

Future kid-friendly URLs to add to the bypass

When new family-only pages get built (chore chart, family calendar print view, kid-specific dashboards), add them to the same Bypass policy:
- /family-kiosk.html
- /family-calendar.html (future)
- /chores.html (future)
- /treitels/* (if a subpath ever gets used)

Risks (and why they're acceptable)

Reversal

To re-gate the kiosk later (e.g. you decide kids should each have their own Google):
- Zero Trust → Access → Applications → the kiosk app → delete OR change Action from Bypass to Allow + add the kids' Gmails.
- Takes effect within seconds.


Saved 2026-05-31 PM as part of the family kiosk v2 build.

Source trail · docs/CF_ACCESS_KIOSK_BYPASS.md @ master · rendered 2026-07-02 7:23 PM EDT by scripts/build-docs.py · the .md in the repo is the truth; this page is the phone-readable view